DNSSEC and the Geopolitical Future of the Internet

synsynackack writes "The Register reports that the DNSSEC protocol could have some very interesting geopolitical implications, including erosion of the scope of state sovereign powers. The chairman of ICANN, Peter Dengate-Thrush, explained, 'We will have to handle the geo-political element of DNSSEC very carefully.' Experts also explained that split DNS and the DNSSEC protocol don't match very well; technically, it is possible for someone at the interface of the global Internet and a country-wide Internet to strip electronic certificates attached to data and repackage the data with a new one."

Clarify something for me...

[AdmiralXyz]

From TFA:

Jim Galvin of Afilias, an expert in DNSSEC, warned that a “split DNS” – where a country effectively sets up its own Internet within its borders and controls access to the global Internet - and the DNSSEC protocol “do not match very well”.

Isn't that a good thing?

distributed solutions please?

[alexandre]

Another attempt to solve things in a hierarchical way that should have been rather fixed with p2p web of trusts so country and trust their own servers with a great degree than outside ones...
But no, centralized control is much more fun in the eyes of politician who care more about guaranteeing their retirement than freedom for everybody.

Re:distributed solutions please?

Your user ID (53) is not only very low, it is also the port number that dns queries are sent to.

Re:distributed solutions please?

[grcumb]

This generation of the internet was initially dismissed as a toy by most companies and governments and the genie got out of the bottle. They won't make that mistake with the next generation.

I disagree with your diagnosis, but I agree wholeheartedly with your conclusion.

Having worked on the Internet since the early 90s, and having benefited from the massive ignorance of how the Internet works that pervaded business past the end of the decade, I feel it's more like business was able to characterise the symptoms but didn't understand the nature of the disease.

In the 90s, people talked a lot about Disruptive Technologies and (forgive me) Paradigm Shifts. They knew that early adopters reaped the greatest rewards, but beyond that they were more or less aimless.

I think of it as the difference between cleverness and intelligence. The people who actually built the Internet had vision, but only learned how to be clever over time. Businesses working on the Internet got clever first, but even today they're just barely beginning to develop a vision about what they want it to be.

Given that their vision resembles Iran- and China-style Internet more than anywhere else, I too find it a troubling one. I worry that some day I'll be the moral equivalent of an aged hippie, longing for the lost freedom of my youth....

Re:DNSSEC is an arduous solution

[lukas84]

DNSSEC is okay, it's just BIND that sucks. There are several DNS appliance vendors that have fully automated DNSSEC already working. For that matter, the Windows DNS server also sucks on the same level as does bind.

PowerDNS will bring mostly-automated DNSSEC, but it's not done yet.

No, in this case hierarchical is correct

[John.P.Jones]

DNS names are hierarchical. Each TLD is granted authority to manage its subsequent names as it sees fit and so on. Any attempt to secure this system should mirror the authority of the names themselves. Each country can control the distribution and authentication of names within their own TLD and DNSSEC just provides the appropriate level of cooperation for any client to read and validate those signatures.

Decoupling the hierarchical nature of DNS from a separate authentication mechanism that didn't follow this grain would be needlessly complex and could result in ambiguous or inconsistent results.

Re:DNSSEC is an arduous solution

[Burdell]

Put down the djb Kool-Aid. DNSCurve and DNSSEC do not address the same thing. DNSCurve is essentially SSL for DNS, which requires some way to establish trust with each server you talk to. Since end-users typically only talk to their ISP's recursive servers, that's not too much work, but it only protects the path from the ISP's servers to the end-users (which ISPs can typically protect themselves). DNSCurve does nothing to authenticate the DNS data itself. DNSSEC, on the other hand, authenticates the data at the source. If you look up foo.bar.com, that record can be signed in the bar.com zone, which has trust anchors in .com, which has trust anchors in the root. It doesn't matter who serves the record to you; you can be sure that the data is valid.

Some ISPs would prefer people to use DNSCurve and think DNS is secure, because it does nothing to protect the data. Those ISPs would still be able to change the results (e.g. all the NXDOMAIN web pages, URL redirects, etc. are still possible). That can't happen with DNSSEC and an authenticating resolver.

DNSSEC is not set-it-and-forget-it because true security requires maintenance. It isn't just a response to cache poisoning attacks, it addresses the security of the whole system.

Re:DNSSEC is an arduous solution

[Kaboom13]

It's a sad state of affairs, but when you think about it, modern ISP's must be treated as a malicious and disruptive man in the middle attack when it comes to DNS. Not only do they constantly interfere in proper dns operation to run various scams, they do so blatantly and with no fear of recrimination. DNSSEC can't get here fast enough, I just hope ISPs don't start rewriting destination addresses to continue their abuse.